Deutsche Wohnen SE – €14,500,000 Fine (Germany, 2019)

After having conducted investigations in June 2017, the DPA found that the controller was structurally not deleting data in it's archive. The DPA requested to change the archive system for tenant's personal data under the previous German Data Protection Act. When the situation was reviewed after the coming into force of the GDPR, the DPA found that the company still did not comply. How do Article 5(1)(e) and Article 25(1) GDPR apply to archives? The BlnBDI found that the archive system used for storing personal data of tenants, which did not provide for a possibility to remove the personal data violated Article 5(1)(e) and Article 25(1) GDPR. There was also no legal basis for the processing of personal data anymore. The fine was calculated at 14,5 Mio Euro. In addition, the DPA found 15 other violations of the rights of individual data subjects, which lead to additional fines between 6,000 EUR and 17,000 EUR each. In February 2021 the Berlin regional court has annulled the fine, on the basis that there was no specific act of the management of the firm that had led to the infringements. The Berlin Public Prosecutor's Office has now filed an appeal against this decision, arguing that for the application of the GDPR the mere establishment of an infringement, without the establishment of a active act by management, is enough to justify regulatory action.